ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WSS-443) Treat tokens received over TLS as "encrypted"
Date Tue, 21 May 2013 11:05:18 GMT

    [ https://issues.apache.org/jira/browse/WSS-443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13662891#comment-13662891
] 

Colm O hEigeartaigh commented on WSS-443:
-----------------------------------------

Hi Marc,

The spec also says (8.3):

"If transport security is used, the signature (Sig2) MUST cover the message timestamp as illustrated"

So in this case, the key associated with the Subject of the SAML Token is used to sign the
message Timestamp.

Colm.
                
> Treat tokens received over TLS as "encrypted"
> ---------------------------------------------
>
>                 Key: WSS-443
>                 URL: https://issues.apache.org/jira/browse/WSS-443
>             Project: WSS4J
>          Issue Type: Bug
>            Reporter: Colm O hEigeartaigh
>            Assignee: Marc Giger
>             Fix For: 2.0
>
>
> The streaming WS-Security code treats a UsernameToken received over TLS as a SignedSupportingToken.
However, it doesn't treat it in the same way for encryption.
> In other words, a UsernameToken received over TLS should satisfy a SignedEncryptedSupportingToken
requirement.
> Clarification: This seems to work when the policy is that of EncryptedSupportingToken,
but not that of a SignedEncryptedSupportingToken.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message